A new Internet of Things (IoT) botnet which has been targeting over 1,000 IP camera models has been discovered. Persirai targets Original Equipment Manufacturer (OEM) products from various companies which have different names for their cameras, although they are equally affected by the new botnet. This attack follows the 2016 Mirai which was an open-source backdoor malware that compromised IoT devices such as CCTV cameras and Digital Video Recorders (DVRs) via Distributed Denial-of-Service (DDoS). This bonnet, however, is completely different from Mirai in term of attack module, infect chain and C2 communication protocol.

120,000 cameras infected

So far more than 120,000 IP cameras have been exposed to the Persirai botnet. Most of the users who are victims of the attack have no idea that their IP cameras are open to the internet, making it very easy for the perpetrators behind the malware to have access. One of the main reasons that have made IP cameras this vulnerable is due to the fact that they use Universal Plug and Play (UPnP), which are network protocols that allow devices to act as a server by opening a port on the router, hence making them more visible as targets for IoT malware.

Rebooting deletes the malware, but security issues remain

When an attacker logs into the vulnerable interface, a command injection can be performed to force the IP camera to a download site via a specific command. The malware deletes itself after downloading and executing the samples and only runs in memory. The malware then blocks the zero-day exploit that prevents the IP camera from being exploited by other attackers. After rebooting, the malware is no longer able to block and the IP camera once again becomes vulnerable to attacks.

Pierre Kim, an independent researcher, advises users to immediately disconnect their IP cameras from the internet so as to stay safe from the malware attacks.